Stage 4 · Provision
Validation, Policy & Secrets
TFLint Rules
Provider-specific rulesets, custom checks, naming conventions, and plugin configuration — linting Terraform for best practices.
What Is TFLint?
TFLint is a Terraform linter that catches errors, enforces best practices, and checks provider-specific rules. It goes beyond terraform validate by detecting issues like deprecated attributes, incorrect resource usage, and naming violations.
$ tflint
$ tflint --config .tflint.hcl
$ tflint --format json > tflint.json
$ tflint --fix # Auto-fix some issuesTFLint analyzes Terraform files without connecting to APIs. It catches static analysis issues that terraform validate misses. The --fix flag auto-fixes some issues.
Provider Rulesets
plugin "aws" {
enabled = true
version = "0.28.0"
source = "github.com/terraform-linters/tflint-ruleset-aws"
}
plugin "azurerm" {
enabled = true
version = "0.24.0"
source = "github.com/terraform-linters/tflint-ruleset-azurerm"
}
plugin "google" {
enabled = true
version = "0.18.0"
source = "github.com/terraform-linters/tflint-ruleset-google"
}Provider rulesets contain rules specific to each cloud provider. The AWS ruleset catches deprecated instance types, missing encryption, and invalid configurations. Enable only the providers you use.
TFLint Configuration
# Disable specific rules
rule "terraform_naming_convention" {
enabled = false
}
# Configure rule severity
rule "terraform_deprecated_interpolation" {
enabled = true
severity = "warning"
}
# Set variables for rules
plugin "aws" {
enabled = true
version = "0.28.0"
source = "github.com/terraform-linters/tflint-ruleset-aws"
# Set region for rules that need it
rules {
enabled = true
}
}Rule configuration enables or disables specific rules. Severity levels are error, warning, and info. Error causes TFLint to fail. Warning reports issues without failing. Info is informational only.
Custom Rules
# .tflint.hcl
plugin "custom-rules" {
enabled = true
source = "github.com/custom/tflint-rules"
}
# Or use rego rules
plugin "rego" {
enabled = true
version = "0.2.0"
source = "github.com/terraform-linters/tflint-plugin-rego"
}Custom rules extend TFLint with organization-specific checks. The rego plugin allows writing rules in Rego. This is useful for enforcing custom naming conventions and policy requirements.
Naming Conventions
rule "terraform_resource_naming" {
enabled = true
format = "snake_case"
}
rule "terraform_variable_naming" {
enabled = true
format = "snake_case"
}
rule "terraform_output_naming" {
enabled = true
format = "snake_case"
}Naming convention rules enforce consistent naming across all resources, variables, and outputs. snake_case is the most common convention. Consistent naming improves readability and maintainability.
CI Integration
- name: TFLint
uses: terraform-linters/setup-tflint@v4
with:
tflint_version: latest
- name: Run TFLint
run: |
tflint --init
tflint --format json > tflint.json
continue-on-error: true
- name: Comment TFLint results
uses: actions/github-script@v7
with:
script: |
const tflint = require('./tflint.json');
const issues = tflint.issues || [];
// Post PR comment with TFLint resultsThe TFLint step initializes plugins, then runs the linter. JSON output enables programmatic processing. The comment step posts results to the PR.
TFLint is faster than terraform validate because it does not need provider initialization. Run TFLint first to catch simple issues, then validate for deeper checks.
TFLint plugins must be downloaded before running. Run tflint --init to download plugins. In CI, cache the plugins directory to speed up subsequent runs.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.